Michal Špaček

@[email protected]
255 Followers
56 Following
222 Posts
In your web, securing your app. Hacker, web developer, speaker, engineer. Security Shoptet, ex-Report URI. I believe HTTPS stands for How To Transfer Private Sh*.
Blog & sitehttps://www.michalspacek.com/
Blog & site in Czechhttps://www.michalspacek.cz/
Password storage disclosureshttps://pulse.michalspacek.cz/passwords/storages
Reporting API Demos, CSP etc.https://canhas.report/
Michal Špaček4d ago

One of my favorite XSS tricks when you can add only attributes (when < and > are removed from the input) is to add onfocus=alert(1) and autofocus: <input value="" onfocus="..." autofocus="">.

To not create a "focus loop", I often add this.blur() to the onfocus handler, otherwise alert(1) steals the focus, and when you close it, the field gains focus once again and so on 😅

Michal ŠpačekMar 13
Naming is hard, so that's why my @phpstan extension called "Disallowed **Calls**" now supports disallowing **properties** 😅 Also a Friday the 13th release 👻 (at least in my timezone). https://github.com/spaze/phpstan-disallowed-calls/releases/tag/v4.9.0
Release Can disallow properties · spaze/phpstan-disallowed-calls

Naming is hard, so that's why this Disallowed Calls extension now supports disallowing instance and static properties, and enum properties with disallowProperties (#378) Other (mostly) internal cha...

GitHub
Michal ŠpačekJan 27
When issuing a HTTPS certificate, the CA needs to make sure you own the domain, and one of the many methods is via email where they'll email you a link. This method will be discouraged in March 2026 and disabled in March 2028.
See https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html + https://cabforum.org/2025/11/20/ballot-sc-090-gradually-sunset-all-remaining-email-based-phone-based-and-crossover-validation-methods-from-sections-3.2.2.4-and-3.2.2.5/
HTTPS certificate industry phasing out less secure domain validation methods

Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the...

Google Online Security Blog
Michal ŠpačekDec 29

Instead of `cat`, I use `bat`, "a cat(1) clone with wings." https://github.com/sharkdp/bat

It supports syntax highlighting, line numbers, git, invisible chars etc. I even have it aliased to `cat`.

But if you'd like to concat multiple files into a single file like `cat 1 2 3 > foo`, you should run the original unaliased `cat` (by prefixing it with `\`, like `\cat`), seems much faster, at least in my case up to 10x. So now my scripts contain `\cat` instead of just `cat`.

GitHub - sharkdp/bat: A cat(1) clone with wings.

A cat(1) clone with wings. Contribute to sharkdp/bat development by creating an account on GitHub.

GitHub
Michal ŠpačekDec 18
Best news I've discovered today is that ripgrep is also available for Windows and you can install it with winget (winget install ripgrep). ripgrep is like the grep utility in Linux, but a bit faster, it also accepts grep's params https://github.com/burntsushi/ripgrep
GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern while respecting your gitignore

ripgrep recursively searches directories for a regex pattern while respecting your gitignore - BurntSushi/ripgrep

GitHub
Michal ŠpačekDec 9
Per ThorsheimDec 9

Michal Špaček @spazef0rze presenting his talk "Password Reuse Is a Dumpster Fire – We Brought a Hose" at #PasswordsCon in Prague, December 2, 2025.

https://www.youtube.com/watch?v=AuCNgoDf-5c

Michal Špaček: Password Reuse Is a Dumpster Fire – We Brought a Hose

YouTube
Michal ŠpačekNov 28
Looking at my access logs, the easiest way to block web scanners & bots is to block requests with a User-Agent header that says "old browser" where old is -10 major versions and older😁 Both Chrome and Firefox release major versions every 4 weeks. For example Chrome current is 142 and bots use Chrome/120, 116 etc. It's mostly a fun idea but it seems like I need a PoC 😅 Of course this wouldn't block all bots and it would be easy for them to adapt, but this could be a cheap way to get rid of all the "wordpress scanners" etc.
Michal ŠpačekOct 29
TIL that OCI stands for "Oracle Cloud Infrastructure" and *also* "Open Container Initiative". I've first learned about the former ("Oracle Cloud Infrastructure") and just spent 5 minutes trying to understand a bug where they used OCI in the latter meaning ("resolves remote OCI artifacts")
Michal ŠpačekSep 23
My random number generator just did a Dilbert.
Michal ŠpačekSep 18, 2025
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) https://developers.facebook.com/tools/ct